Experiencing a Security Breach?

24 Hour Hotline: +1 (866) 659-9097 Option 5

General

+1 (312) 873-7500

Monday - Friday 8:00 AM - 6:00 PM CT (UTC -6)

Sales

Contact a Trustwave solution specialist.

+1 (888) 878-7817

Monday - Friday 8:30 AM - 5:30 PM CT (UTC -6)

Loading...

Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

Sundown EK – Stealing Its Way to the Top

Sundown is one of the newest Exploit Kits on the market these days, and like many up-and-coming exploit kits before it, this means that it is in under constant development.

With the recent disappearance of the Angler and Nuclear exploit kits, both big players in the EK scene, a gap has been left in the market; and although most of it has been filled by more prominent exploit kits, such as Neutrino and RIG, there seems to be enough room for smaller players such as Sundown to step up and grab their slice of the proverbial pie.

A little over a year ago, Kaffeine talked about Sundown in a blog post, describing it as nothing special and just "mentioning this EK is around". Until recently not much has been done by Sundown's developers to try and rise up into the list of bigger and more serious exploit kits, and unfortunately for them, even those recent attempts to improve still didn't feel very serious…

So in order to upgrade the capabilities of Sundown, the author decided to take the following measures:

Outsource the panel & DGA coding work to the "Yugoslavian Business Network"

Steal exploits from other EK and incorporate them to Sundown

In this blog post we will go through the recent changes in the Sundown code and discuss its newly incorporated (stolen) exploits.

Sundown's use of subdomains or, "fake domain shadowing":

Figure 1: A Tweet from @edx mentioning Sundown starting to use subdomains

As spotted by edx, sundown started to use subdomains for their .top/.pw domains , but the domain names look like a cat walked on your keyboard, and thus suspicious as hell.

Recently, however, we encountered an instance of sundown that uses what looks like domain shadowing which appears to be an actor using sundown in a more sophisticated way:

It looks like the actor bought a soon-to-be-expired domain cheap in order to benefit from their good reputation, and pointed them to the ip address of the legitimate service no-ip, this method likely helps the subdomains, which point to a different malicious IP address, stay alive longer before they are blacklisted.

So let's take a look at the new landing page, shall we?

Figure 2: The new Sundown landing page

So what have we here? Some new info.js file that is being loaded, a ".dec" function called with some encrypted data followed by document.write of the decrypted code.

Next, the HTML tag is closed, and another one is opened for no apparent reason with some more script stuff.

But this is probably not a bug, but rather a feature: Sundown adds this code, whose purpose we will discuss further down the blog, to every page, most probably using a php include such as:

<?php include 'leetdetection.html';?>

We poked a little and observed it add this script even to invalid requests made to the landing page. In the past, such requests used to simply display the YBN logo, and now along with this lovely logo one will also receive this mysterious script:

Figure 3: The page that Sundown shows when you try to access its landing page incorrectly

Figure 4: The lovely YBN logo

So what is info.js and the .dec function we keep encountering?

Figure 5: A snippet from the info.js file

Encryption is great as long as you don't give away the key:

Figure 6: The decryption key is stored in plain-text

So what was encrypted? An obfuscated script which is basically a base64 decode of more obfuscated data:

Congratulations to all those who made it to the short blacklist of Sundown:

Figure 9: A list of security products Sundown is checking to avoid detection

Ok, so this super-secret encoded stuff was just an old technique to avoid detection, so where is the actual exploit stuff??? "You promised a new shiny exploit…"

Let's check the 2nd HTML Document tag

The 2nd HTML Document contains 4 script tags, which are essentially the same script as the decoded script we found that use base64 to decode a string, so perhaps in a future update Sundown will use this same info.js to further encrypt these chunks as well…

The last and fourth script is the shiny new exploit that was added, drumroll please:

Figure 10: The 4th script that was encoded by base64

Figure 11: Fiddler capture of the files loaded by the new Sundown landing page

Figure 12: A snippet of the code in 96.swf that is used to unpack the Go_var1 binarydata

Ok, so what is this new mysterious 96.swf you ask?

It has some nifty binary data - could it be that Sundown has finally coded an exploit from scratch?

As you can see the "Anim" function is used to read the binary data which is XOR encrypted, and decrypt it. For readability purposes here is the same code with variables renamed:

Fig 13: The XOR function with renamed variables

What we see here is a XOR decryption loop with a little twist. The XOR key is incremental, meaning that after each decrypted loop the XOR key value is incremented by 17. However, this is completely equivalent in cryptographic strength to a single XOR key, as the code increments it by a constant value.

This loop also does a sanity check at the beginning (line #5) to ensure that the first decrypted byte has the decimal value 70 (46 in hex) which corresponds to a first letter of the Flash file header (FWS).

We have written a simple python script to encode the binary data which is a 2nd stage flash exploit.

In order to use it, you need to extract the binary data from the flash file, you can use JPEXS FFDec or swfextract "swfextract -v -b 1 96.swf -o 1_Go_var1.bin"

Guess what is the 2nd stage flash? That's right, another stolen exploit, this time it is MagnitudeCVE-2016-4117